Hoooks into the laravel auth module and provides an auth token upon success. This token is really only secure in https environment. This main purpose for this module was to provide an auth token to javascript web app which could be used to identify users on api calls.
Add the service provider to app/config/app.php
'Tappleby\AuthToken\AuthTokenServiceProvider',
Setup the optional aliases in app/config/app.php
'AuthToken' => 'Tappleby\Support\Facades\AuthToken',
'AuthTokenController' => 'Tappleby\Support\Facades\AuthTokenController',
'AuthTokenNotAuthorizedException' => 'Tappleby\AuthToken\Exceptions\NotAuthorizedException'
A default controller is provided to grant, check and revoke tokens. Add the following to app/routes.php
Route::get('auth', 'AuthTokenController@index');
Route::post('auth', 'AuthTokenController@store');
Route::delete('auth', 'AuthTokenController@destroy');
Returns current user as json. Requires the X-Auth-Token header to be present. On Fail throws NotAuthorizedException.
Required input username and password. On success returns json object containing token and user. On Fail throws NotAuthorizedException.
Purges the users tokens. Requires the X-Auth-Token header to be present. On Fail throws NotAuthorizedException.
NotAuthorizedException has a 401 error code by default.
An auth.token route filter gets registered by the service provider. To protect a resource just register a before filter. Filter will throw an NotAuthorizedException if X-Auth-Token is invalid or not present.
Route::group(array('prefix' => 'api', 'before' => 'auth.token'), function() {
Route::get('/', function() {
return "Protected resource";
});
});
The route filter will trigger auth.token.valid with the authorized user when a valid auth token is provided.
Event::listen('auth.token.valid', function($user)
{
//Token is valid, set the user on auth system.
Auth::setUser($user);
});
Optionalliy register the NotAuthorizedException as alias eg. AuthTokenNotAuthorizedException
App::error(function(AuthTokenNotAuthorizedException $exception) {
if(Request::ajax()) {
return Response::json(array('error' => $exception->getMessage()), $exception->getCode());
}
…Handle non ajax response…
});
Some apps might already be using the traditional laravel based auth. The following can be used to manually generate a token.
if(Auth::check()) {
$authToken = AuthToken::create(Auth::user());
$publicToken = AuthToken::publicToken($authToken);
}
The AuthToken::publicToken method prepares the auth token to be sent to the browser.
Using the jQuery ajaxPrefilter method the X-Auth-Token can be set automatically on ajax request.
// Register ajax prefilter. If app config contains auth_token will automatically set header,
$.ajaxPrefilter(function (options, originalOptions, jqXHR) {
if (config.auth_token) {
jqXHR.setRequestHeader('X-Auth-Token', config.auth_token);
}
});
If a 401 response code is recieved it can also handled automatically. In the following example I opted to redirect to logout page to ensure user session was destroyed.
// If a 401 http error is recieved, automatically redirect to logout page.
$(document).ajaxError(function (event, jqxhr) {
if (jqxhr && jqxhr.status === 401) {
window.location = '/logout';
}
});
View composer can be used to automatically bind data to views. This keeps logic all in one spot. I use the following to setup config variables for javascript.
View::composer('layouts.default', function($view)
{
$rootUrl = rtrim(URL::route('home'), '/');
$jsConfig = isset($view->jsConfig) ? $view->jsConfig : array();
$jsConfig = array_merge(array(
'rootUrl' => $rootUrl
), $jsConfig);
if(Auth::check()) {
$authToken = AuthToken::create(Auth::user());
$publicToken = AuthToken::publicToken($authToken);
$userData = array_merge(
Auth::user()->toArray(),
array('auth_token' => $publicToken)
);
$jsConfig['userData'] = $userData;
}
$view->with('jsConfig', $jsConfig);
});